★ Audit scope mismatch

Curve Finance's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Multiple audits exist for NG contracts (ChainSecurity tricrypto-ng 2023-06-23, MixBytes stableswap-ng Sept-Oct 2023, ChainSecurity FeeSplitter 2024-09-25). Exact deployed-bytecode-to-audit-commit-SHA matching is infeasible via public sources (audit PDFs binary, audit index 403); Etherscan verification of NG contracts at Vyper 0.3.10 is confirmed. Legacy v1 pools compiled with Vyper 0.2.15/0.3.0 were not audited for the compiler-level reentrancy guard bug exploited July 2023 — a structural scope gap now partially remediated as those pools are drained and abandoned.

Sources #

URL
Curve tricrypto-ng Smart Contract Audit — ChainSecurityChainSecurity tricrypto-ng auditretrieved 2026-04-28
GitHub
MixBytes StableSwapNG Audit READMEMixBytes StableSwapNG audit READMEretrieved 2026-04-28
URL
Vyper Nonreentrancy Lock Vulnerability Technical Post-MortemVyper reentrancy lock post-mortem (official)retrieved 2026-04-28

Methodology #

Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-001 score yellow collected_at 2026-04-28 19:48:40